I am the Global Head of Security Research for Sophos, one of the worlds largest security companies, trying to defend against malicious code. I’m also a Certified Instructor and Director, EMEA for the SANS institute where I teach a variety of subjects including incident handling and ethical hacking. For the past 10 years I’ve researched malware, hacking and cryptography. I’ve worked with many of the worlds largest and most paranoid organizations to help define security strategy. I often appear on TV ranting about security, have delivered a TED talk and am a frequent speaker at conferences worldwide. These days I am also very keen on developing the next generation of security talent. I've done some work I'm really proud of and some stupid things. I will share my experiences and save others the trouble. Geek at heart.

New OpenSSL Defects - Another Heartbleed? Tor Stripped?

Today an announcement at www.openssl.org notified of 6 vulnerabilities in the widely used software, OpenSSL . OpenSSL is the same software that recently hit the headlines for the Heartbleed vulnerability. The 6 software defects (details available here) range in severity and impact and can allow an attacker to create a denial of service condition, or in certain situations remote code execution (for the uninitiated this is basically a very bad thing because attackers can run any code they want to do whatever they want on your computer). Some have been quick to spring on these defects as “another heartbleed”, but while these defects are serious this seems a bit of a stretch. It is unlikely that these vulnerabilities will get as much media attention – for one their names aren’t as terrifying and catchy as Heartbleed. That said, you still need to take note. The announcement, shown below, reveals a myriad of nasty vulnerabilities and undermines the security of quite a few applications and services including the ever popular Tor (more on that below).

OpenSSL has released fixes for all of these defects and lists the vulnerable versions (and patches) on their website. In short if your IT team patches the software, all of these risks can be mitigated quickly and easily. Unfortunately, as we’ve learned from Heartbleed (and other instances) many IT organisations are very fast to patch Windows systems but very slow to deal with Linux (or other) systems. This leaves extended periods where surprisingly critical software is not patched and attackers could compromise your systems. Even now I am finding devices that are vulnerable to Heartbleed, most recently several CCTV camera systems . The vendors of these products show little sign of patching any time soon.

To re-iterate from my previous post, all software has defects and the reporting of such a large group of vulnerabilities is actually reassuring. During the Heartbleed saga we learned that the team responsible for maintaining this crucial code is surprisingly small, underfunded and the code under-reviewed. The myriad researchers’ names in this release show more firms and researchers getting their eyes on the code and identifying problems. In short, we should be reassured by these additional discoveries (and the many that will undoubtedly follow). OpenSSL is widely used, very important code that has historically been resourced challenge (as admitted by their own team, see my earlier article). Recently the Linux Foundation put two full time developers towards the project and organised vendors to donate cash to the project to start a program of improvement. If you would like to donate to this important project, you can do so here.

Make sure your organisation has a plan to patch these defects to prevent attackers crashing your critical systems or potentially executing malicious code. In particular pay close attention to web servers but any other system that uses SSL to encrypt information including appliances may have the defect too. Follow @jameslyne on TwitterTwitter.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Hi there. I quite agree. It is open source and very very widely depended upon. As I wrote in my original article the team has worked valiantly but haven’t been given the right resources for their mission (a critical one at that). It isn’t a failing of the project team but the rest of the industry which should have focused on this important software earlier. Their team leader made similar comments publicly. They need donations, they need support and they are starting to get it- more vulnerabilities (as I say in the article) are actually a good think. It shows improvement and more eyes on the code. Sorry you feel I’m a twit, but I hope you understand where I am coming from.

In general, Heartbleed does not affect Windows systems, unless they are running an application that requires openssl I have written a blog post on how this new OpenSSL can make heartbleed worse http://bit.ly/1p6pGtl